Scribd Logo
Upload

Welcome to Scribd!

  • 16 views

    IOS User Manual

    Uploaded by

    Isac Silveira

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    IOS User Manual

    Uploaded by

    Isac Silveira
    16 views19 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    16 views19 pages

    IOS User Manual

    Uploaded by

    Isac Silveira

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 19

    Cellebrite iOS Device

    Physical Extraction Manual

    November 22, 2011

    1
    Table of Contents
    Introduction…………………………………………………………………………………………………………………………………………………4
    Before you begin............................................................................................................................................ 5
    Performing an Extraction……………………………………………………………………………………………………………………………..6
    Step 1: Launch UFED Physical Analyzer ......................................................................................................... 6
    Step 2: Open iOS Device Physical Extraction ................................................................................................. 7
    Step 3: Turn off the device ............................................................................................................................ 9
    Step 4: Connect the device to your computer in Recovery Mode ................................................................ 9
    Step 5: Setting the Device to DFU Mode ..................................................................................................... 11
    Step 6: Extract Data ..................................................................................................................................... 12
    Step 7: Wait ................................................................................................................................................. 13
    Step 8: Turn off the device .......................................................................................................................... 14
    Instructions for Encrypted Devices……………………………………………………………………………………………………………..15
    Extracting from a device with a simple passcode ........................................................................................ 16
    Extracting from a device with a complex passcode ..................................................................................... 18

    2
    3
    Introduction
    This manual explains how to extract data from an iPhone, iPod or iPad using UFED Physical Analyzer.
    UFED Physical Analyzer allows you to extract, decode and analyze the following devices running iOS Version 3.0 or
    higher:
     iPhone (original)
     iPhone 3G
     iPhone 3GS
     iPhone 4 GSM
     iPhone 4 CDMA
     iPad 1
     iPod Touch (3rd generation)
     iPod Touch (4th generation)

    4
    Before you begin
    Before you begin you will need:
     UFED Physical Analyzer installed on a PC with Windows XP / Vista / 7 Operating Systems (iPhone/iPod/iPad
    physical extraction will not work in Virtual Machine environments).
     UFED Cable Number 110.
     An Internet connection for the first run of iOS Physical to download the necessary forensic utilities. You can
    also download the utilities using a different computer and copy them manually to the computer running
    iOS Physical.

    5
    Performing an Extraction
    The following steps will guide you through the extraction process.

    Step 1: Launch UFED Physical Analyzer


    1. Launch UFED Physical Analyzer by clicking the
    application icon or program shortcut.

    The default location of UFED Physical Analyzer is:


    C:\Program Files\Cellebrite Mobile Synchronization\UFED
    Physical Analyzer

    6
    Step 2: Open iOS Device Physical Extraction
    1. Open the Tools menu and select iOS Device Physical
    Extraction. This will launch UFED iOS Physical.

    The first run after installation


    On the first run of UFED iOS Physical you will be asked to download the iOS Device Support Package. This contains the
    newest utilities that enable UFED iOS Physical to work with a variety of devices and iOS versions. The download may
    take a while, depending on your Internet connection.

    7
    If you don't have an Internet connection
    If your computer is not connected to the Internet, download
    the support package on a different computer and manually
    copy it to your computer.
    2. Click this link1 to download the latest support package.
    3. Copy the file to the computer running iOS Physical.
    4. On the welcome screen in iOS Physical, click on Install
    from file and locate the file on your computer.

    1
    http://www.cellebrite.com/ios
    8
    Step 3: Turn off the device
    1. Follow the steps on the screen to turn the device off.

    Step 4: Connect the device to your computer in Recovery Mode


    1. Follow the steps on the screen to connect the device in Recovery
    Mode.
    Use Cellebrite Cable #110 or the Apple cable supplied with the
    device.

    9
    2. After connecting the device in Recovery Mode, UFED iOS
    Physical will display some device information, such as
    serial number, hardware version, iOS version and more.
    3. You can copy that information to the clipboard by
    clicking the Copy link.

    Note: When a range of versions is displayed, the version of


    the device may be any version within the displayed range.
    For example, if the version shows "4.0-4.0.2", the actual
    version can be 4.0, 4.0.1 or 4.0.2.

    10
    Step 5: Setting the Device to DFU Mode
    1. Click Next on the screen with the device information.
    2. Follow the instructions on the screen to set the device to
    DFU (Device Firmware Upgrade) mode.
    UFED iOS Physical will not affect the device firmware or
    user data.
    Note: This step requires precise timing. If the device
    accidentally turns on, disconnect it from the cable, turn it off
    and start again.

    3. When the device enters DFU mode, UFED iOS Physical


    will upload the forensics program required to extract
    data from the device.

    11
    Step 6: Extract Data
    Now the device is ready for extraction.
    1. Choose the desired extraction method (Physical or File
    System).
    2. Choose the location to which you wish to save the
    extraction. You can save it on your computer or on a
    removable storage device.
    3. Choose a partition for extraction.
    In a physical extraction you can choose between the
    Data partition, the System partition or both.
    In a file system extraction you can choose between the
    Data partition or both.
    4. Click Next.
    If the device is locked by a passcode, see "Instructions
    for encrypted devices" (Page 15)

    12
    Step 7: Wait
    1. Wait until the extraction completes.
    The extraction duration varies depending on the
    extraction method, the device model, amount of data on
    the device, your computer and other parameters.
    2. When the extraction is complete you will have four
    options:
    2.1. Open in UFED Physical Analyzer – This will load the
    extraction file in UFED Physical Analyzer.
    2.2. Open file location – Will open the folder that
    contains the extraction files.
    2.3. Turn off the device and exit – Turns off the device
    and sets it back to normal mode.
    2.4. Back to extraction options – Returns to the
    extraction methods screen.

    13
    Step 8: Turn off the device
    When you're done, it's recommended that you turn off the
    device and set it back to normal mode.

    14
    Instructions for Encrypted Devices
    UFED iOS Physical can extract data from encrypted devices. The amount of data that can be extracted depends on the
    type of passcode with which the device is locked.
    There are two kinds of passcodes:
     Simple passcode – 4 digits from 0 to 9 (e.g. 1234, 8787, 2580, etc.)
     Complex passcode – any combination of numbers, letters and symbols (e.g. 93qP@Mv, iLoVeYoU, etc.)
    The decryption process happens in UFED Physical Analyzer and not during the extraction in iOS Physical. Most data can
    be decrypted without knowing the passcode, such as contacts, messages, photos, some emails and more. However, to
    decrypt some of the saved passwords and emails you will need to know the device passcode.
    iOS Physical will automatically recover the passcode for you if it's locked with a simple passcode. If the device is locked
    with a complex passcode you can choose to manually try as many passcodes as you like or continue the extraction
    without being able to decrypt some of the saved passwords and emails.
    If the device isn't locked with a passcode, all data will be extractable – even if the device is encrypted.

    15
    Extracting from a device with a simple passcode
    Follow Steps 1 through 5, as detailed in the previous
    chapter.
    When the device is ready for extraction you will have the
    usual Physical Extraction and File System Extraction options
    and an additional Passcode Recovery option.
    The option Passcode recovery will reveal the device passcode
    so you can unlock and use the device or to accelerate the
    extraction process.
    To extract and recover the passcode in a single process,
    choose Physical Extraction or File System Extraction. In this
    example we will demonstrate the steps with a physical extraction, but they are the same for a file system extraction.

    16
    1. Click on Physical Extraction.
    2. In the next screen, choose the partition you wish to
    extract and the location at which you want to save the
    extraction. Click Next If you don't know the passcode,
    click on Recover the passcode for me. This will recover
    the passcode prior to the extraction and will take more
    time.
    3. If you do know the passcode, enter it in the text box
    below. You will see a check mark if you entered the
    correct passcode. Then click Continue >.
    4. The extraction will begin.

    17
    Extracting from a device with a complex passcode

    Follow Steps 1 through 5, as detailed in the previous


    chapter.
    When the device is ready for extraction you will have the
    usual Physical Extraction and File System Extraction options
    and an additional Test passcodes option.
    The option Test passcodes allows you to type in as many
    passcodes as you like and checks them in real time. iOS
    Physical cannot recover a complex passcode automatically.
    As mentioned before, most data will be decrypted in UFED
    Physical Analyzer, but some of the saved passwords and email files will not be decrypted. To extract data, choose
    Physical Extraction or File System Extraction.
    In this example we will demonstrate the steps with a physical extraction, but they are the same for a file system
    extraction.

    18
    1. Click on Physical Extraction.
    2. In the next screen, choose the partition you wish to
    extract and the location at which you want to save the
    extraction. Click Next.
    3. iOS Physical can't recover a complex passcode
    automatically, so you either have to enter it manually or
    be aware that some data will not be decrypted in UFED
    Physical Analyzer.
    4. Use the text box to test as many passcodes as you like
    without locking the device. If you enter the correct
    passcode you will see a check mark and a Continue >
    button will appear. Click it.
    5. If you don't know the passcode, click Continue without passcode >.
    6. The extraction will then begin.

    19

    You might also like